formbook | b79d2d02fe777cfd64723ad9b3935b30c00cbc75614fcadbf867cce88df4a8fd

General

Target

H4vBtZsi8xAKaMm.exe
Size

1.2MB
MD5

7eabab04e4a6fdd45238e32ed81e222c
SHA1

e0e1dc469746f5e2e049ea4a93d9b09a9227b342
SHA256

b79d2d02fe777cfd64723ad9b3935b30c00cbc75614fcadbf867cce88df4a8fd
SHA512

eeaa0f02a15a66b3363f94730ad3cf7c533a4bf303cfa0f53b21959a54dc0f65c50b1ac179aa5f992e3e17bbfaaa1b7393da3d1859ddd51932d36bdf0b7fa21b

Score

10^/10

formbook u1p5 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

u1p5

Decoy

yannickrast.com

shitcoin.team

mysweetelissa.com

tpnfrgm2wrld.xyz

freeclothesonline.com

rhoads-music.com

tanglewoodrx.com

sharkeycustoms.com

bonin-island.com

apeutah.com

metacehennem.xyz

deutscheno1.com

e-gate-io.store

hometoto.xyz

jojomove.com

vzn2aai2qj.icu

couponcodes6.com

pbcgotv.com

metarealtyhome.com

geymall.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1152-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/808-69-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

H4vBtZsi8xAKaMm.exeMSBuild.exeNAPSTAT.EXE

description	pid	process	target process
PID 1668 set thread context of 1152	1668	H4vBtZsi8xAKaMm.exe	MSBuild.exe
PID 1152 set thread context of 1260	1152	MSBuild.exe	Explorer.EXE
PID 808 set thread context of 1260	808	NAPSTAT.EXE	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

H4vBtZsi8xAKaMm.exeMSBuild.exeNAPSTAT.EXE

pid process

1668 H4vBtZsi8xAKaMm.exe
1152 MSBuild.exe
1152 MSBuild.exe
808 NAPSTAT.EXE
808 NAPSTAT.EXE
808 NAPSTAT.EXE
808 NAPSTAT.EXE
808 NAPSTAT.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

MSBuild.exeNAPSTAT.EXE

pid process

1152 MSBuild.exe
1152 MSBuild.exe
1152 MSBuild.exe
808 NAPSTAT.EXE
808 NAPSTAT.EXE
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

H4vBtZsi8xAKaMm.exeMSBuild.exeNAPSTAT.EXE

description pid process

Token: SeDebugPrivilege 1668 H4vBtZsi8xAKaMm.exe
Token: SeDebugPrivilege 1152 MSBuild.exe
Token: SeDebugPrivilege 808 NAPSTAT.EXE

pid	process
1668	H4vBtZsi8xAKaMm.exe
1152	MSBuild.exe
1152	MSBuild.exe
808	NAPSTAT.EXE
808	NAPSTAT.EXE
808	NAPSTAT.EXE
808	NAPSTAT.EXE
808	NAPSTAT.EXE

pid	process
1152	MSBuild.exe
1152	MSBuild.exe
1152	MSBuild.exe
808	NAPSTAT.EXE
808	NAPSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	1668	H4vBtZsi8xAKaMm.exe
Token: SeDebugPrivilege	1152	MSBuild.exe
Token: SeDebugPrivilege	808	NAPSTAT.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

H4vBtZsi8xAKaMm.exeExplorer.EXENAPSTAT.EXE

description	pid	process	target process
PID 1668 wrote to memory of 1152	1668	H4vBtZsi8xAKaMm.exe	MSBuild.exe
PID 1668 wrote to memory of 1152	1668	H4vBtZsi8xAKaMm.exe	MSBuild.exe
PID 1668 wrote to memory of 1152	1668	H4vBtZsi8xAKaMm.exe	MSBuild.exe
PID 1668 wrote to memory of 1152	1668	H4vBtZsi8xAKaMm.exe	MSBuild.exe
PID 1668 wrote to memory of 1152	1668	H4vBtZsi8xAKaMm.exe	MSBuild.exe
PID 1668 wrote to memory of 1152	1668	H4vBtZsi8xAKaMm.exe	MSBuild.exe
PID 1668 wrote to memory of 1152	1668	H4vBtZsi8xAKaMm.exe	MSBuild.exe
PID 1260 wrote to memory of 808	1260	Explorer.EXE	NAPSTAT.EXE
PID 1260 wrote to memory of 808	1260	Explorer.EXE	NAPSTAT.EXE
PID 1260 wrote to memory of 808	1260	Explorer.EXE	NAPSTAT.EXE
PID 1260 wrote to memory of 808	1260	Explorer.EXE	NAPSTAT.EXE
PID 808 wrote to memory of 1768	808	NAPSTAT.EXE	cmd.exe
PID 808 wrote to memory of 1768	808	NAPSTAT.EXE	cmd.exe
PID 808 wrote to memory of 1768	808	NAPSTAT.EXE	cmd.exe
PID 808 wrote to memory of 1768	808	NAPSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Local\Temp\H4vBtZsi8xAKaMm.exe
"C:\Users\Admin\AppData\Local\Temp\H4vBtZsi8xAKaMm.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\SysWOW64\NAPSTAT.EXE
"C:\Windows\SysWOW64\NAPSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:1768

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/808-68-0x0000000000C30000-0x0000000000C76000-memory.dmp

Filesize
280KB

Download
memory/808-71-0x0000000000850000-0x00000000008E3000-memory.dmp

Filesize
588KB

Download
memory/808-70-0x0000000002080000-0x0000000002383000-memory.dmp

Filesize
3.0MB

Download
memory/808-69-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/1152-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1152-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1152-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1152-65-0x00000000009C0000-0x0000000000CC3000-memory.dmp

Filesize
3.0MB

Download
memory/1152-66-0x0000000000210000-0x0000000000224000-memory.dmp

Filesize
80KB

Download
memory/1260-67-0x0000000005010000-0x0000000005157000-memory.dmp

Filesize
1.3MB

Download
memory/1260-72-0x0000000007080000-0x00000000071C8000-memory.dmp

Filesize
1.3MB

Download
memory/1668-60-0x00000000005B0000-0x00000000005E4000-memory.dmp

Filesize
208KB

Download
memory/1668-55-0x0000000000A00000-0x0000000000B44000-memory.dmp

Filesize
1.3MB

Download
memory/1668-59-0x0000000005210000-0x0000000005298000-memory.dmp

Filesize
544KB

Download
memory/1668-58-0x00000000003A0000-0x00000000003AA000-memory.dmp

Filesize
40KB

Download
memory/1668-57-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/1668-56-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads